Potential Network Sweep Detected
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic", "panw"]
4maturity = "production"
5updated_date = "2024/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network,
11identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses.
12This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data
13theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one
14source host to 10 or more destination hosts on commonly used network services.
15"""
16from = "now-9m"
17index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 5
21name = "Potential Network Sweep Detected"
22risk_score = 21
23rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
24severity = "low"
25tags = [
26 "Domain: Network",
27 "Tactic: Discovery",
28 "Tactic: Reconnaissance",
29 "Use Case: Network Security Monitoring",
30 "Data Source: Elastic Defend",
31 "Data Source: PAN-OS"
32]
33timestamp_override = "event.ingested"
34type = "threshold"
35
36query = '''
37destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
38source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1046"
46name = "Network Service Discovery"
47reference = "https://attack.mitre.org/techniques/T1046/"
48
49
50[rule.threat.tactic]
51id = "TA0007"
52name = "Discovery"
53reference = "https://attack.mitre.org/tactics/TA0007/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60[[rule.threat.technique.subtechnique]]
61id = "T1595.001"
62name = "Scanning IP Blocks"
63reference = "https://attack.mitre.org/techniques/T1595/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0043"
69name = "Reconnaissance"
70reference = "https://attack.mitre.org/tactics/TA0043/"
71
72[rule.threshold]
73field = ["source.ip"]
74value = 1
75[[rule.threshold.cardinality]]
76field = "destination.ip"
77value = 100
Related rules
- Potential Network Scan Detected
- Potential SYN-Based Network Scan Detected
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score